==Phrack Inc.==
Volume Three, Issue 29, File #11 of 12
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN P h r a c k W o r l d N e w s PWN
PWN ~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~ PWN
PWN Issue XXIX/Part 2 PWN
PWN PWN
PWN November 17, 1989 PWN
PWN PWN
PWN Created, Written, and Edited PWN
PWN by Knight Lightning PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Offensive Message Flashes At Busy City Corner October 25, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Linda Wheeler (Washington Post)
An offensive message that mystified the owners of an electronic information
board was flashed Monday, October 23 at Connecticut Avenue and L Street NW, one
of the city's (Washington DC) busiest intersections.
A Georgetown University law student, Craig Dean, said he saw the message;
"HELP STAMP OUT A.I.D.S. NOW: KILL ALL QUEERS AND JUNKIES"
It flashed five times in 25 minutes. Minutes after seeing the message, he
called the city Human Rights Office and the Washington Blade, a gay community
newspaper.
Doug Hinckle, a staff photographer for the Blade, saw the message flash once
and photographed it.
Judith Miller, president of Miller Companies, which own the building at 1101
Connecticut Avenue NW and the message board, said she did not know how the
statement got onto the board. She refused to believe it had appeared until she
was shown of the photographs.
Her company has complete control of the board and does not accept any paid
messages or advertisements, Miller said. "I would never do anything like
that," she said. "There is no way I would allow such a statement to appear."
Yesterday, Keller, a five-year employee of the Miller Companies, said he did
not write the statement and does now know how it became part of the normal flow
of headline news.
Miller said she believes her computer system may have a "virus" and will have
experts search to find where the unauthorized statement originated. "How
absolutely awful," she said of the message.
_______________________________________________________________________________
"WANK" Worm On SPAN Network October 17, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From The Computer Emergency Response Team
On October 16, the CERT received word from SPAN network control that a worm was
attacking SPAN VAX/VMS systems. This worm affects only DEC VMS systems and is
propagated via DECnet protocols, not TCP/IP protocols. If a VMS system had
other network connections, the worm was not programmed to take advantage of
those connections. The worm is very similar to last year's HI.COM (or Father
Christmas) worm.
This is NOT A PRANK. Serious security holes are left open by this worm. The
worm takes advantage of poor password management, modifies .com files, creates
a new account, and spreads to other systems via DECnet.
It is also important to understand that someone in the future could launch this
worm on any DECnet based network. Many copies of the virus have been mailed
around. Anyone running a DECnet network should be warned.
R. Kevin Oberman from Lawrence Livermore National Labs reports:
"This is a mean bug to kill and could have done a lot of damage.
Since it notifies (by mail) someone of each successful penetration
and leaves a trapdoor (the FIELD account), just killing the bug is
not adequate. You must go in an make sure all accounts have
passwords and that the passwords are not the same as the account
name."
The CERT/CC also suggests checking every .com file on the system. The worm
appends code to .com files which will reopen a security hole everytime the
program is executed.
An analysis of the worm appears below and is provided by R. Kevin Oberman of
Lawrence Livermore National Laboratory. Included with the analysis is a DCL
program that will block the current version of the worm. At least two versions
of this worm exist and more may be created. This program should give you
enough time to close up obvious security holes.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Report on the W.COM worm.
R. Kevin Oberman
Engineering Department
Lawrence Livermore National Laboratory
October 16, 1989
The following describes the action of the W.COM worm (currently based on the
examination of the first two incarnations). The replication technique causes
the code to be modified slightly which indicates the source of the attack and
learned information.
All analysis was done with more haste than I care for, but I believe I have all
of the basic facts correct.
Here is a description of the program:
1. The program assures that it is working in a directory to which the owner
(itself) has full access (Read, Write,Execute, and Delete).
2. The program checks to see if another copy is still running. It looks for a
process with the first 5 characters of "NETW_". If such is found, it
deletes itself (the file) and stops its process.
Note: A quick check for infection is to look for a process name starting
with "NETW_". This may be done with a SHOW PROCESS command.
3. The program then changes the default DECNET account password to a random
string of at least 12 characters.
4. Information on the password used to access the system is mailed to the user
GEMPAK on SPAN node 6.59. Some versions may have a different address.
5. The process changes its name to "NETW_" followed by a random number.
6. It then checks to see if it has SYSNAM priv. If so, it defines the system
announcement message to be the banner in the program:
W O R M S A G A I N S T N U C L E A R K I L L E R S
_______________________________________________________________
\__ ____________ _____ ________ ____ ____ __ _____/
\ \ \ /\ / / / /\ \ | \ \ | | | | / / /
\ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / /
\ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ /
\_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/
\___________________________________________________/
\ /
\ Your System Has Been Officically WANKed /
\_____________________________________________/
You talk of times of peace for all, and then prepare for war.
7. If it has SYSPRV, it disables mail to the SYSTEM account.
8. If it has SYSPRV, it modifies the system login command procedure to
APPEAR to delete all of a user's file. (It really does nothing.)
9. The program then scans the accounts logical name table for command
procedures and tries to modify the FIELD account to a known password with
login form any source and all privs. This is a primitive virus, but very
effective IF it should get into a privileged account.
10. It proceeds to attempt to access other systems by picking node numbers at
random. It then used PHONE to get a list of active users on the remote
system. It proceeds to irritate them by using PHONE to ring them.
11. The program then tries to access the RIGHTSLIST file and attempts to access
some remote system using the users found and a list of "standard" users
included with the worm. It looks for passwords which are the same as that
of the account or are blank. It records all such accounts.
12. It looks for an account that has access to SYSUAF.DAT.
13. If a priv. account is found, the program is copied to that account and
started. If no priv account was found, it is copied to other accounts
found on the random system.
14. As soon as it finishes with a system, it picks another random system and
repeats (forever).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer Network At NASA Attacked By Rogue Program October 18, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by John Markoff (New York Times)
A rogue computer program attacked a worldwide network of the National
Aeronautics and Space Administration on Monday, October 16, inflicting no
damage but forcing officials to disconnect the network from sensitive military
and space systems.
Security experts speculated that the program was written by someone who opposed
Tuesday's (October 17) scheduled launching of the space shuttle Atlantis, which
was to carry a nuclear-powered satellite into orbit. The launching was
postponed because of bad weather.
NASA officials said the rogue program attacked an academic and research
network, the Space Physics Analysis Network, which is not used for space
shuttle mission control.
But a NASA official said the agency felt compelled to disconnect several links
between the network and an operational space shuttle network as a precaution.
Computer security experts at several national laboratories said the Department
of Defense had also severed the connection between commercial and research
networks and nonclassified network that connects United States military
installations and contractors around the world.
The program was designed to copy itself secretly and send unwanted, sometimes
vulgar messages to users of the NASA network. It also tricks users into
thinking that data have been destroyed, although no data are damaged.
Like similar programs that have been sent into computer networks by pranksters
and saboteurs, it exploited a flaw in the security system designed to protect
the computers on the network.
Computer security experts said Tuesday that they knew of about 60 computers
that had been affected by the program. A NASA spokesman said the program was
still spreading.
While the network is widely available to academic researchers with personal
computers, the rogue program was designed to attack only 6,000 computers
manufactured by the Digital Equipment Corporation.
The flaw in the security of the Digital Equipment computers had been widely
publicized over a year ago even before a similar rogue program jammed a group
of interconnected international networks known as the Internet. NASA officials
said the program was only able to attack computers in which the necessary steps
had not been taken to correct the flaw.
Among the messages the program displayed on all infected computers was one that
read: "Worms Against Nuclear Killers. You talk of times of peace for all, and
then prepare for war."
Computer scientists call this kind of program a worm, a reference to a program
first described in the novel "Shockwave Rider" by a science fiction writer,
John Brunner.
_______________________________________________________________________________
Virus Controversies Again October 6, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~
by John Markoff (New York Times)
"The issue has also sparked interest among computer scientists."
Harold Highland, editor of Computers & Security, a professional journal, said
he had received two research papers describing how to create such anti-virus
programs.
He has not decided whether to publish them.
"No one has raised the obvious ethical questions," he added. "I would hate to
see a virus released to fight viruses. Until it's tested you don't know
whether it's going to do more damage than the program it is designed to fight."
A number of these programs have already been written, computer researchers
said.
The one that destroyed the data on business and governmental personal computers
in the United States was reportedly designed by a Venezuelan programmer. How
many computers were affected and where they were is unclear.
That program is called Den Zuk, or Search. It was intended to attack a
destructive program known as the Brain Virus that was distributed in 1986 by
two brothers who owned a small computer store in Pakistan.
Errors in the design of the program illustrate the potential danger of such
viruses, critics say. Fridrik Skulason, a microcomputer specialist at the
University of Iceland in Reykjavik, who has disassembled the program, said the
author of Den Zuk had failed to take into account the different capacities of
disks available for IBM and IBM-compatible machines.
Because of that simple error, when the program infects a higher-capacity disk
it destroys data.
"They probably wrote with good intention," he said. "The only problem is that
the programmers were not able to do their job correctly."
At least two other anti-viral viruses have already been devised, said Russell
Brand, a computer security researcher at Lawrence Livermore.
He said programmers at one company, which he would not identify, had written
the programs to combat the Scores virus, a program that infected Macintosh
computers last year.
He added that even though the programs were designed so they could not go
beyond the company's own computers, there had been a heated debate over whether
to deploy the programs. He said he did not know how it was decided.
Brand said a group of computer researchers he works with at Lawrence Livermore
had written several self-replicating programs after the appearance of the rogue
program that Morris of Cornell is accused of writing. But he added that the
group had never given permission to release the programs.
The debate over vigilante viruses is part of a broader discussion now taking
place among some computer researchers and programmers over what is being termed
"forbidden knowledge."
"There are ethical questions any time you send something out there that may
find itself invited on to somebody else's computer," said Pamela Kane, author
of a book on computer virus protection.
In California this month a group of computer hackers plans to hold a forum on
"forbidden knowledge in a technological society."
While the role of the computer hacker has been viewed as mischievous in a
negative way, hackers have consistently played a role as innovators, said Lee
Felsenstein, a Berkeley, California, computer expert who designed several early
personal computers.
"Computer hacking was originally a response to the perception of a priesthood's
control over immensely powerful technological resources," he said. "Informed
individuals were able to break the power of this priesthood through gaining and
spreading the body of forbidden knowledge."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dreaded Personal Computer Virus May Be Only A Cold October 6, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Don Clark (New York Times)
It won't be much of a plague. But the hysteria anticipating it has been
world-class.
Those observations come from computer-security experts as they await Datacrime,
a virus program set to attack IBM-compatible personal computers starting
Thursday, October 12, 1989.
Analyses of the program, also called the Columbus Day Virus, show that it is
indeed destructive. It just hasn't spread very far.
"It's going to be the week of the non-event," predicted John McAfee, a Santa
Clara, California, consultant who serves as chairman of the Computer Virus
Industry Association. "You have more chance of being hit by a meteor than
getting this virus."
McAfee Associates, which acts as a clearinghouse for virus information, has
received just seven confirmed reports of Datacrime in six months -- compared
with three to 50 reports per day about another virus that originated in Israel
in 1987. He thinks only 50 copies of Datacrime exist, and 40 of those are in
the hands of researchers.
"It's gotten more publicity than it deserves," agreed Russell Brand, another
virus expert, who advises Lawrence Livermore National Laboratory.
Brand expects to find just 20 copies among the 75,000 computers he monitors at
1,000 sites.
Such projections are disputed by some. They are based on how often Datacrime
has been detected by computer users using special software that scans their
systems for the virus.
The virus could have infected many users who have not bothered to scan their
systems, McAfee concedes.
Fears have been whipped up by the news media and computer managers at companies
and government agencies. Companies promoting products to eradicate viruses
also have played a role -- understandably.
Staid IBM Corporation this week took the unusual step of offering a program
that checks systems for viruses. The company hasn't detected the virus in its
own operations, but concedes that many customers are worried. "They are asking
us how we protect our software-development operations from viruses," said Bill
Vance, who was appointed a year ago as IBM's director of secure systems.
Bank of America, a huge IBM customer with 15,000 PCs, recently put out a
company-wide notice advising users to make backup copies of their computer data
by Wednesday, the day before the virus is programmed to strike.
Three different government agencies have panicked and sent out multiple
versions of incorrect advice," Brand said.
Worried calls have deluged McAfee's office, which has just three lines for
computer communications and three for voice.
"We put the phone down and it's 30 seconds before it rings again," he said.
Computer sleuths detected Datacrime -- and have detected other viruses -- by
looking for changes in the size of data files and in the way programs operate.
The underlying code used to write the program, once disassembled by experts,
indicates when the program will activate itself.
The identity of Datacrime's author isn't known, although some reports have
linked the virus to an anonymous hacker in Austria. It first began showing up
in March, McAfee said, and gained notoriety after it was discussed at the
midsummer Galactic Hackers Conference in Amsterdam.
It appears to be relatively prevalent in the Netherlands and other European
countries. Dutch computer users have reportedly bought hundreds of programs
that are said to detect and destroy the program.
Like other viruses, Datacrime rides along with innocuous programs when they are
exchanged over a computer network or computer bulletin board or through
exchange of infected disks. Unlike many viruses, it has been designed to later
insert itself in data files that users don't often examine.
If one of the programs is executed after the target date, Datacrime proceeds
with its dirty work -- destroying the directory used to keep track of files on
a computer's hard disk. The crime is analogous to destroying a card file in
the library.
"By destroying this one table you can't find where any of your data is," said
Brand.
But no one should really be in a fix if he makes backup copies of data, experts
say. The data, once safely stored on another disk drive or on magnetic tape,
can be restored by computer professionals even if the virus has infected the
backup files.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"Vaccines" To Hunt Down Rogue Programs October 6, 1989
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by John Markoff (New York Times)
Ever since a rogue program created by a graduate student jammed a nationwide
computer network last year, the rapid spread of such disruptive software, often
known as viruses, has caused growing alarm among computer users.
Now, to fight fire with fire, some companies, individuals and even a government
research laboratory are crafting a new breed of what have been called
anti-viruses to hunt down intruders.
The trouble is, some computer security experts say, the problem of viruses may
be exaggerated -- and the new crime fighter may do even more damage than the
criminal.
Much like an infection, a well-intended but badly designed program to stop
viruses can run amok, knocking out thousands of computers or destroying vast
amounts of data.
Indeed, one of the anti-virus programs intended to defeat a known virus has
already destroyed data on business and governmental personal computers in the
United States.
The issue has touched off a heated debate over whether the creation of these
high-technology vigilantes is a responsible action. "The risks are just
enormous," said Peter Neumann, a computer security expert at SRI International,
a technology research center in Menlo Park, California. "It's an unbelievably
unsafe thing to do."
But Chris Traynor, a programmer at Divine Axis, a software development company
in Yonkers, New York, argues that anti-virus programs can be contained so that
they do not spread out of control, reaching and possibly damaging data in other
computers. His company is now trying to design such a program.
Computer researchers at the Lawrence Livermore Laboratory, a federal weapons
center in Livermore, California, have designed similar programs that patrol
computer networks in search of breaches through which viruses could enter the
system.
Viruses, which got their name because they mimic in the computer world the
behavior of biological viruses, are programs, or sets of instructions, that can
secretly be spread among computers.
Viruses can travel either over a computer network or on an infected disk passed
by hand between computer users.
Once the infection has spread, the virus might do something as benign as
displaying a simple message on a computer screen or as destructive as erasing
the data on an entire disk.
Computer security experts have been concerned for several years by the
emergence of vandals and mischief makers who deliberately plant the destructive
programs.
But in recent weeks international alarm has reached new heights as rumors have
spread that a virus program will destroy data on thousands of computers this
month, on Friday the 13th.
Computer security researchers said the virus, known as Datacrime, was one of at
least three clandestine programs with internal clocks set to destroy data on
that date.
As is usually the case, no one knows who wrote the program, but U.S. military
officials have mentioned as possible suspects a European group linked to West
German terrorists and a Norwegian group displeased with the fame of Christopher
Columbus, who is honored next week.
Largely in response to customer concerns, IBM said on Monday that it was
offering programs for its personal computers that would scan for viruses.
But several computer security experts say public fears are largely exaggerated.
They note that there have been fewer than a dozen reported appearances of the
Datacrime virus in the United States, and contend that the whole issue is
overblown.
Still, in the personal computer world, where many users have little knowledge
of the technical workings of their machines, concern over computer viruses has
become widespread.
The issue got the most attention last November, when, it is charged, Robert
Morris, a graduate student at Cornell, unleashed a rogue program that because
of a small programming error, ran wildly out of control, copying itself
hundreds of times on thousands of computers, overloading a national network,
As a result of the mounting concern, a new industry has blossomed offering
users protective programs known as vaccines, or anti-viral software.
These programs either alert users that a virus is attempting to tamper with
their computer or scan a computer disk and erase any rogue program that is
detected.
These conventional programs do not automatically migrate from computer to
computer, but now some experts are exploring fashioning programs that graft the
powers of the vaccines onto viruses in order to pursue and stop them wherever
they go.
Designing and spreading such programs was proposed in August by several people
attending an international gathering of computer hobbyists, or "hackers," in
Amsterdam.
They suggested that it was a good way for members of the computer underground
to make a positive contribution.
But many researchers believe the idea is dangerously flawed because of the
possibility of accidentally doing great damage.
Some computer security researchers worry that writing an infectious program to
stop viruses may be taken as an intellectual challenge by hackers who are well
meaning but do not grasp what problems they could create.
"One of the questions that the hacker community is now addressing is what you
do about young hackers," said Stewart Brand, a writer in Sausalito, California,
who is working on a book on outlaw cultures and high technology.
"They don't have a sense of responsibility; they have a sense of curiosity.
These are deliciously debatable issues, and I don't see them going away."
_______________________________________________________________________________